This is part of what the developer released to fix the security vulnerability disclosed responsibly on WHT [1] tl;dr of that thread by the OP [2] . Beyond the ridiculous response of the developer in the thread, the fix released doesn't even fix the issue. Some other security researcher released the root vuln [3] and basically every install of this software is about to be rooted. And that's all before the ridiculousness of passing a root password over http, which strips "special characters" that is used to login to your box and upgrade their software. If you read the linked thread, it's like a case study on how to NOT respond to a security disclosure.<p>[1] - <a href="http://www.webhostingtalk.com/showthread.php?t=1275572" rel="nofollow">http://www.webhostingtalk.com/showthread.php?t=1275572</a>
[2] - <a href="http://www.webhostingtalk.com/showpost.php?p=8727714&postcount=148" rel="nofollow">http://www.webhostingtalk.com/showpost.php?p=8727714&postcou...</a>
[3] - <a href="http://localhost.re/p/zamfoo-120-vulnerability" rel="nofollow">http://localhost.re/p/zamfoo-120-vulnerability</a>
See this thread for their response: <a href="http://www.webhostingtalk.com/showthread.php?t=1275572" rel="nofollow">http://www.webhostingtalk.com/showthread.php?t=1275572</a>.<p>I tried submitting it to HN, but I receive an error "stop spamming us, you are wasting your time". Anyone knows why this is? (I'm most definitely not a spammer)
This is the upgrade procedure for a critical security vulnerability found here: <a href="http://www.webhostingtalk.com/showthread.php?t=1275572" rel="nofollow">http://www.webhostingtalk.com/showthread.php?t=1275572</a>
Since the exploit lets you easily root the install, couldn't zamfoo just patch all his users machines themselves?<p>That would make about as much sense as everything else they've done....
I guess a real script with "curl zamfoo.com/?license=$ZAMFOO_LICENSE" | sh" was too hard so I'm better off giving my root password to strangers.
Plus there's this gem [1] about a "kill switch" that disables every single install of the software.<p>"not only that. there is an emergency kill switch. if you release the patch i will pull the switch and no one can use the software. your exploit will not work if i do that. the plugin will become useless until i turn it back on."<p>[1] <a href="http://www.webhostingtalk.com/showpost.php?p=8724954&postcount=17" rel="nofollow">http://www.webhostingtalk.com/showpost.php?p=8724954&postcou...</a>
The upgrading process seems easy
Just have to send your IP address, root user name, password, and license key through a form...and you can do it through the fast http scheme rather than the slow https.
wouldn't it be better to just say that there's a specific type of vulnerability, and then explain how long it has been?<p>ultimately, it's up to customers and end users to decide if they can tolerate a security hole being open for a few weeks or months. to that end, maybe it's better to go down the food chain and look at what hosts are using WHM, and publish that list. end users could see if their provider is exposed.
1. What is Zamfoo? I've clicked through a few Google results and all I see are references to WHM and various levels of being a "Reseller". I guess I'm not irritated by Zamfoo's lack of a great About page as I am about the fact that there are still business tech acronyms that I've never encountered before...and I thought mastering "CMS" and "ROI" was good enough<p>2. It seems like this is mostly a one-person shop, with the site owner answering the emails and forum discussions. Ugh, nothing like having to maintain holey software yourself...though obviously, I feel much sorrier for anyone who's gotten/is getting hacked.